Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
01-08-2024 08:56
Behavioral task
behavioral1
Sample
7fe3d3e31683778477219e67511be5c9_JaffaCakes118.exe
Resource
win7-20240729-en
General
-
Target
7fe3d3e31683778477219e67511be5c9_JaffaCakes118.exe
-
Size
403KB
-
MD5
7fe3d3e31683778477219e67511be5c9
-
SHA1
b5d8bbb1d4572db9116e3495d37c6cd87368e8ab
-
SHA256
adbed124faeae69e6e0355bea43ee6531f390524eb7759140e5843e580f41fd6
-
SHA512
defc00b3b23db8ec2867aad0ded035e0ba4e859bd464bc02283ae5594c5e7bdc10516e5844270aeed900f72d4e9dcd21feae6eee4b8fd6e841bf5e41378bc221
-
SSDEEP
6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBroh+:8IfBoDWoyFblU6hAJQnOc
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2740 cmd.exe -
Executes dropped EXE 3 IoCs
Processes:
ykkin.exejagugy.exejului.exepid process 1880 ykkin.exe 1540 jagugy.exe 804 jului.exe -
Loads dropped DLL 5 IoCs
Processes:
7fe3d3e31683778477219e67511be5c9_JaffaCakes118.exeykkin.exejagugy.exepid process 2188 7fe3d3e31683778477219e67511be5c9_JaffaCakes118.exe 2188 7fe3d3e31683778477219e67511be5c9_JaffaCakes118.exe 1880 ykkin.exe 1880 ykkin.exe 1540 jagugy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
7fe3d3e31683778477219e67511be5c9_JaffaCakes118.exeykkin.execmd.exejagugy.exejului.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7fe3d3e31683778477219e67511be5c9_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ykkin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jagugy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jului.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 55 IoCs
Processes:
jului.exepid process 804 jului.exe 804 jului.exe 804 jului.exe 804 jului.exe 804 jului.exe 804 jului.exe 804 jului.exe 804 jului.exe 804 jului.exe 804 jului.exe 804 jului.exe 804 jului.exe 804 jului.exe 804 jului.exe 804 jului.exe 804 jului.exe 804 jului.exe 804 jului.exe 804 jului.exe 804 jului.exe 804 jului.exe 804 jului.exe 804 jului.exe 804 jului.exe 804 jului.exe 804 jului.exe 804 jului.exe 804 jului.exe 804 jului.exe 804 jului.exe 804 jului.exe 804 jului.exe 804 jului.exe 804 jului.exe 804 jului.exe 804 jului.exe 804 jului.exe 804 jului.exe 804 jului.exe 804 jului.exe 804 jului.exe 804 jului.exe 804 jului.exe 804 jului.exe 804 jului.exe 804 jului.exe 804 jului.exe 804 jului.exe 804 jului.exe 804 jului.exe 804 jului.exe 804 jului.exe 804 jului.exe 804 jului.exe 804 jului.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
7fe3d3e31683778477219e67511be5c9_JaffaCakes118.exeykkin.exejagugy.exedescription pid process target process PID 2188 wrote to memory of 1880 2188 7fe3d3e31683778477219e67511be5c9_JaffaCakes118.exe ykkin.exe PID 2188 wrote to memory of 1880 2188 7fe3d3e31683778477219e67511be5c9_JaffaCakes118.exe ykkin.exe PID 2188 wrote to memory of 1880 2188 7fe3d3e31683778477219e67511be5c9_JaffaCakes118.exe ykkin.exe PID 2188 wrote to memory of 1880 2188 7fe3d3e31683778477219e67511be5c9_JaffaCakes118.exe ykkin.exe PID 2188 wrote to memory of 2740 2188 7fe3d3e31683778477219e67511be5c9_JaffaCakes118.exe cmd.exe PID 2188 wrote to memory of 2740 2188 7fe3d3e31683778477219e67511be5c9_JaffaCakes118.exe cmd.exe PID 2188 wrote to memory of 2740 2188 7fe3d3e31683778477219e67511be5c9_JaffaCakes118.exe cmd.exe PID 2188 wrote to memory of 2740 2188 7fe3d3e31683778477219e67511be5c9_JaffaCakes118.exe cmd.exe PID 1880 wrote to memory of 1540 1880 ykkin.exe jagugy.exe PID 1880 wrote to memory of 1540 1880 ykkin.exe jagugy.exe PID 1880 wrote to memory of 1540 1880 ykkin.exe jagugy.exe PID 1880 wrote to memory of 1540 1880 ykkin.exe jagugy.exe PID 1540 wrote to memory of 804 1540 jagugy.exe jului.exe PID 1540 wrote to memory of 804 1540 jagugy.exe jului.exe PID 1540 wrote to memory of 804 1540 jagugy.exe jului.exe PID 1540 wrote to memory of 804 1540 jagugy.exe jului.exe PID 1540 wrote to memory of 2948 1540 jagugy.exe cmd.exe PID 1540 wrote to memory of 2948 1540 jagugy.exe cmd.exe PID 1540 wrote to memory of 2948 1540 jagugy.exe cmd.exe PID 1540 wrote to memory of 2948 1540 jagugy.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7fe3d3e31683778477219e67511be5c9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7fe3d3e31683778477219e67511be5c9_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Users\Admin\AppData\Local\Temp\ykkin.exe"C:\Users\Admin\AppData\Local\Temp\ykkin.exe" hi2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Users\Admin\AppData\Local\Temp\jagugy.exe"C:\Users\Admin\AppData\Local\Temp\jagugy.exe" OK3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Users\Admin\AppData\Local\Temp\jului.exe"C:\Users\Admin\AppData\Local\Temp\jului.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:804
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:2948
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2740
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
304B
MD5bc733556b5963136d4146a70312e959c
SHA1527a7367de389238beb7bbf870c82ee3e952033f
SHA25624d0e5c9f716bfed7927b636e27c3883123d7bc39cb52baf654b3a975a40d8a0
SHA512b34a46cfaf5af7634522c26089e566f861a647bdfe4ce1e752af6bbf3ef2117d65e8c6e4033fa736d5fd1ad940aaad77c4b59cfeaa0802cd4aeff37b71ec0e36
-
Filesize
224B
MD5cdf68fa83d9556715b1cde8f02954e51
SHA168fd6e4e9c9f031427af2df12a2e09f9447f6acc
SHA256e6f339615d49302c7b924e1e798fe840162ccbf074106e18c6edefae4cda875c
SHA512d62ed5eaf0df786b7430613a9c9bc91cf837453f5722bbc1407bd5e28fc7262a5eb31b6256f1701184e18cd272a1ce26f963cea362f6de6916018b9663d762f5
-
Filesize
512B
MD517a23e5a577f30f68789237374de0822
SHA187423a47872b22ac7526cd4e708d72d06f73b376
SHA256c24758d063c8ada944a8ff11276201943ac1f320c11b9fd0cba67012de392bf3
SHA5127573f10c378703a078750544d510544c1d6181b6fd4ab30c9892af3809b633da0f2fe98495d42617ff756104ecac3d54c7136821c2d01b1075f138d43fa75a41
-
Filesize
223KB
MD5102f345e86cc0ac18edb0b3ad4d4ee34
SHA116cef75e9c727b0740e8e0dc0dbc912079fb8dbc
SHA256f383f9eca36e1e2cad393aad6919b7e59888c07863660cb2a8344c88be5d6ff1
SHA512f603236997761c00b03daca1ec36831bdf5f85d059bea50a3ed9505a5f22af59fd2642e6ee437346cbb111d104cc7a38f5165688f0a620d2b46b79acc46b6419
-
Filesize
404KB
MD5d0e82d500ff80f062c065281dd9c062e
SHA1dbf8c7033456f6c448ac977a30c4b68214491091
SHA2564bff0d8257070e56c703d3699e129c8365109fdd734ffbb604c5ed7c2b54e5d7
SHA5122acadd31231ebadb6006488531095342f947028eab3da717dcca2cbc6a51fa155e8809b7da809aba1fc8a52fa6058465624c31266ab167b44787e94d1eb10719
-
Filesize
404KB
MD558e21d36ea3245436ba22b5f5d15ed76
SHA109864cc75d0d28569cb5bb6e39559ababd5b2ce9
SHA256c92b7ffa21430a8fec2106bffcd1011c0a3f9e9fd8154ac8e37912360e8e0905
SHA5125a13abd7b0db4f8877063dd1fc4bb8f7ca463074303e72e8e29984651263f32cb394768a47809d871cb49566d5aef94c199b4bf4bde144ad28564fdd77420db8